Support Staff2 Posted by Eric Hodel on 28 Jan, 2010 11:33 PM
This is a hard problem to solve, if dependency substitution is
allowed there's no way to protect against accidentally using
malicious code. A malicious author could upload a library that
satisfies or even overrides the dependency.
We've discussed this numerous times on the RubyGems mailing
list, but have yet to come up with a good solution that solves this
problem that we can implement. You're welcome to discuss this
further on the mailing list if you have an ideas.